SAP Governance, Risk and Compliance

Segregation of duties and access control - Leveraging SAP GRC to meet the challenges

Your Challenges

Are you worried about unauthorised access to critical systems and confidential information?

Are you able to identify and address segregation of duties (SoD) conflicts effectively?

Is access control technology really beneficial and necessary?

Meeting Your Needs

Why segregation of duties and access control?

With the heightened focus on corporate governance and internal controls in today’s business environment, organisations need to implement effective measures for achieving regulatory compliance and meeting a variety of stakeholder demands – among them the demands for a better and effective Governance, Risk management and Compliance (GRC) programme.

Implementing effective and efficient internal controls is an important aspect of a GRC programme. Internal controls are mechanisms to help organisations achieve their business objectives while containing risks, which may lead to financial, operational and reputational losses. Effective and efficient internal controls are directly correlated to an organisation’s ability to execute business transactions, ensure productivity, profitability and sustainability.

Internal controls in a business environment are often enforced through segregation of duties in business processes. Different roles and responsibilities are assigned to each individual to provide a check-and-balance environment appropriate to the risk level of the business. Segregation of duties is naturally embedded into the hierarchical and compartmentalised structure of any business organisation.

However, there is often a blind-spot – access to computer systems. With the advent of computer systems in almost every aspect of business, organisations are increasingly reliant on technology-based access control to enforce segregation of duties. Without proper and adequate access control, organisations may find out the hard way that segregation of duties is bypassed and controls no longer work.

Addressing the key issues

Many organisations do have difficulties managing segregation of duties and access controls. These realisations often arise through inspections and audits, or in some cases, fraud investigations. The three common issues are:

How to identify SoD conflicts and what is adequate

How to balance the inconvenience of access controls and productivity

How to monitor the use of powerful system functions and unauthorised access to confidential information on a continuous basis

These three issues cannot be addressed effectively without the support of access control technology.

SAP GRC Access Control enables you to achieve:

Minimal time for compliance – by setting up the right access controls using a comprehensive library of SoD rules which allows you to go live quickly and achieve a cost-effective clean-up of initial controls to stop future violations.

Continuous access management – by enforcing SoD compliance from the start with enterprise-wide role design, documentation, and maintenance that eliminate manual errors and enforce best practices. This prevents the reintroduction of SoD violations and allows business users to perform emergency activities using superuser privilege in a controlled manner.

Effective management oversight and audit – by giving managers effective and comprehensive oversight through user access reaffirmations and reviews of access-risk, SoD rules, mitigating controls and roles. There are also audit trails for role provisioning, user provisioning, emergency access, and more. Auditors can comprehensively and more easily validate proper management oversight to ensure the business complies with all policies by making sure all access is properly authorised and by ensuring that SoD risks are appropriately mitigated.

The importance of a holistic GRC approach

Building and implementing segregation of duties and access control requires a holistic approach that is woven into the fabric of the organisation, often viewed as part of a larger GRC programme. Under this view, an effective governance structure is put in place, and roles and responsibilities are clearly defined. Risk identification, assessment and mitigation are closely tied to the achievement of the organisation’s business objectives. Executives and management have ready access to timely, accurate, relevant information about controls, and their impact on risk exposure. In other words, segregation of duties and access control are not the responsibility of one or two departments; it is a concerted effort of everyone in the organisation, from the Board right down to the staff on the ground.

PwC is the specialist in SoD and access control

As one of the largest and most experienced global providers of GRC services, PwC has been working closely with technology providers such as SAP to help organisations create integrated, sustainable GRC programmes.

PwC’s proven methodology and approach ensure that organisations implement and operate SAP GRC Access Control using proper Strategy, Structure, Process, People and Technology.

Our approach recognises that technology is not a solution but an enabler, a tool to efficiently gather and analyse data and support people and processes. With one of the largest available global resource pools of SAP GRC technologies, we work with organisations to address a wide range of GRC issues. We can help you:

Define the strategic vision for an integrated GRC programme at the most appropriate level – enterprise, regional or divisional to ensure you remain within your
risk tolerance

Conduct a current state assessment of GRC capabilities and identify gaps and requirements for key risks and controls, probably in areas such as training, monitoring and project risk reviews

Implement and integrate the solution in accordance with the strategic vision

Conduct testing, remediation and training activities to maintain the effectiveness of the GRC programme, personnel, and policies

The effect of tightening SoD and access controls

Organisations that have gone through this exercise typically experience the following:

Clearer defined set of SoD rules

Significantly fewer transaction codes assigned to each user. In the example below, originally 45% of users had more than 500 transaction codes each. After the exercise, 90% of users had less than 300 codes each.